Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Can Healthcare Ransomware Be Stopped? Yes, It Can!

Posted on May 25, 2016 I Written By

The following is a guest blog post by Steven Marco, CISA, ITIL, HP SA and President of HIPAA One®.
Steven Marco - HIPAA expert
As an Auditor at HIPAA One®, my goal is to dot every “i” and cross every “t” to ensure a comprehensive HIPAA Security Risk Analysis.  The HIPAA One® Security Risk analysis is a tool to guarantee compliance, automate risk calculations and identify high-risk technical, administrative, physical and organizational vulnerabilities.

Recently, I was on-site for a client named “Care Health” (name changed to protect their identity). Care Health had invested in the highest level of our SRA (Security Risk Analysis) to cover all aspects of security and protection from Ransomware, malware, and the proverbial “sophisticated malware.”

The HIPAA One® HIPAA Security Risk Analysis and Compliance Interview process guided Care Health through a series of HIPAA citation-based questions and required users to upload documents to demonstrate compliance.  These questions directly addressed the organization’s security controls in place to protect against ransomware and cyber-threats.  You can see a sample of the citation-driven controls HIPAA One required for malware and malicious software below:

Technical Audit Controls 164.312(b)
HIPAA One® Requirement:  Upload screenshots of the systems configuration page(s) detecting malware network communications or ePHI/PII going out/in.
Client Controls:  End-user education on malware and phishing. Cisco IPS/IPS module active to block critical threats and WebSense Filter for deep-packet web-traffic inspection.

Administrative Protection from Malicious Software 164308(a)(5)(ii)(B)
HIPAA One® Requirement:  Provide a document showing a list of all servers, workstations and other devices with updated AV Software versions.
Client Controls: BitDefender Enterprise deployed on all workstations and laptops.

Administrative Procedures to guard against malicious software 164.308(a)(5)(ii)(B)
HIPAA One® Requirement:  Please upload a list of each server and sample of PC devices containing server name, O/S version, Service pack and the most recent security updates as available by the software vendor.  Verify critical security patches are current.
Client Controls:  Microsoft Security Operations Center combined with an exhausting change-management process to test new patches prior to release.

HIPAA Citation:  Administrative Training program for workers and managers 164.308(a)(5)(i) for the HR Director role.
HIPAA One® Requirement: Please upload a screen capture of the HIPAA training system’s grades for individual employees and detail the training/grading system in notes section.  Go through training and verify it efficiently addresses organization’s Policies and Procedures with real-world threats.
Client Controls:  Training that is due and required before bonuses, pay-raises or schedule to work are awarded.  Workforce and IT Helpdesk are trained to forward any calls regarding suspicious activities to the HIPAA Security Officer (HSO).

HIPAA Security Risk Analysis Tool

Back to the Ransomware attack…One day during the project, two staff members’ in the Billing department were going about their daily tasks, which involved working with shared files in a network-mapped drive (e.g. N: drive).  One of them noticed new files were being spontaneously created and the file icons in the network folder were changing. Being attentive, she noticed one was named ransom.txt.

Acting quickly, she contacted the IT Helpdesk who were trained to triage all security-related service-desk requests immediately to the HIPAA Security Officer(HSO).   The HSO logged-into the N: shared drive and found Care Health files were slowly being encrypted!

How do you stop a Ransomware attack?
The Security officer ran Bitdefender full-scans on the Billing department computers and found nothing.  He then installed and ran Windows Defender, which has the most current malicious software removal utilities on Server 2012 and found Tescrypt.  Installing Windows Defender on the two desktops not only detected this, but also removed it.

This Ransomware variant had somehow infected the system and was encrypting these files.  The quick-acting team at Care Health recognized the attack and stopped the Tescrypt variant before patient data were compromised.  Backups were used to restore the few-dozen encrypted files on the network-drive. It was a close call, but Care Health was ready and the Crisis Averted.

Upon a configuration review of all of Care Health’s security appliances, WebSense had been configured to allow “zero-reputation” websites through.  Zero-reputation websites are new sites without a known reputation and are commonly used by hackers to send these types of attacks. At Care Health, the Ransomware apparently came from a valid website with an infected banner ad from a zero-reputation source. The banner ad was configured to trigger a client-browser download prior to the user being allowed to see the valid web page.  This forced visitors to this website to download the executable virus from the banner-ad and unknowingly installing the Ransomware on their local computer.  When downloaded, the Ransomware would start encrypting files in high-lettered network-drives first.

Lesson Learned
Ransomware is here to stay and attacks are rising.  Healthcare organizations need to have policies and procedures in place to prevent these attacks and a comprehensive user training and awareness program.  The HIPAA One® software is one of the most secure ways to implement a HIPAA Security Compliance Program.  But a risk analysis is only one step… Ultimately, organizations must build top line end-user awareness and training programs. So like at Care Health, the employees know to quickly report suspicious activities to the designated security officer to defend against Ransomware, Phishing and “sophisticated malware attacks”.

To learn more about stopping Malware and using HIPAA One® as your HIPAA Security Risk Analysis accelerator, click to learn more, or call us a 801-770-1199.

HIPAA One® is a proud sponsor of EMR and HIPAA.

Revisiting the ROI of an EHR Investment

Posted on August 5, 2014 I Written By

The following is a guest post by Barry Haitoff, CEO of Medical Management Corporation of America.
Barry Haitoff
Now that we’re well on the road to being meaningful users of an EHR, I thought it would be interesting to take a step back and look at the ROI of an EHR investment. Hopefully this will be a valuable resource for those still considering an EHR investment and those who’ve already adopted an EHR in their practice. Some of the items listed below are benefits you receive automatically just by using an EHR. Other benefits require some thought and effort on your part. Hopefully this list will remind you of EHR benefits you might have forgotten and ones you can still work to achieve.

Repurpose Space – One of the big advantages of EHR software is that you can store your entire chart room on a relatively small server. Plus, if you’re using a hosted EHR solution, you don’t even need space in your office for a server. Once your paper charts get scanned into your EHR, you can often repurpose your chart room into a revenue generating exam room. I’ve seen some cases where an extra exam room made it possible to bring on another doctor or mid-level provider. In other cases, the extra exam room was able to make existing doctors more efficient. Either way, I don’t know very many practices who say, “We have too much space.”

Eliminate or Repurpose Staff – Nobody likes the idea of eliminating staff as part of an EHR implementation. However, there are two ways I’ve seen organizations reduce staff after implementing an EHR. First, some organizations reduce their staff through natural employee attrition. When a member of your staff chooses to leave your organization, some organizations decide not to replace that staff member since many of their duties are no longer needed in an EHR world. Second, some organizations take their existing staff and repurpose them to perform other tasks. For example, I’ve seen HIM (medical records) staff who are also medical assistants switch to more of a clinical role in the organization after implementing an EHR.

Avoid Penalties – One of the best reasons to make an early investment in an EHR is to avoid the government penalties. I’ve written about the meaningful use and PQRS penalties before, but this is likely just the start of the penalties the government and private payers will implement on those who don’t use an EHR. The long term ROI of these penalties is very large for most practices.

Quality Measures and Value Based Reimbursement – Meaningful Use together with the Value Based Reimbursement Modifier (VM) are the start of a shift towards reporting and getting paid based on clinical quality measures and outcomes. EHR software is at the center of this shift and will be essential to easily document and report these measures and outcomes. While we can put a hard number on the EHR incentive payments that are tied to these measures and the VM, you can be certain that this number will only continue to grow as the government and payers require more data.

Improved Charge Capture – Eight years ago, improved charge capture was the main ROI mechanism that EMR vendors used to sell software. The idea being that the EMR could help you more fully document the patient visit and thus allow you to bill at a higher level than you were doing previously. As in most things involving money, some doctors took this too far and started using the EMR to over code visits. These EHR over code abusers aside, the majority of doctors I know are chronic under coders. Many of these doctors under code because they don’t want to spend time documenting the normal findings that would let them code at a higher level. A well implemented EHR can help doctors fully document even the normal findings in a visit and therefore allow them to bill at a higher level.

Cancel Transcription – Depending on how you use (or don’t use) transcription, this may or may not be a part of your EHR ROI calculation. While transcription can still be used with an EHR, the majority of EHR users stop transcribing as part of the EHR implementation process. Once you make the switch to documenting directly in the EHR or using voice recognition, it’s easy to forget how much money you were spending on transcription.

Improved Workflows – A well implemented EHR software can improve your clinic’s workflows. The lab result workflow is a great example of how an EHR can improve the workflow in your office. The amount of time saved ordering labs and retrieving lab results in an EHR world is significant. Sure, lab interfaces aren’t perfect, but they’re a lot better than the paper model. You can see similar workflow benefits from X-rays and even a well implemented patient portal. Of course, your workflow can be negatively impacted if you’re not careful and thoughtful in how you implement your EHR. However, EHR technology can do a lot to improve a clinic’s workflow when you replace time intensive paper processes.

Streamlined Internal Communication – Related to improved workflows is improved communication. When it comes to internal office communication, most EHR software comes with a secure internal messaging service or task system. This replaces all those sticky notes, stacks of charts, or notes in boxes that would occur previously. Now messages aren’t lost and can be more easily tracked in the internal EHR messaging. Plus, you can also often report on how fast tasks are being completed.

Streamlined External Communication – We’re still early in EHR’s ability to facilitate secure communication with external providers. While some EHR software offers a provider portal for this communication, I’m more interested in the progress of Direct Project which allows the secure transfer of patient records between doctors. As these technologies mature, the time saved at the fax machine and sorting data records will be tremendous.

Eliminate Paper – Once you implement an EHR, you quickly forget how much money you were spending on paper and paper charts. Don’t forget to think about this cost savings when looking at the value of EHR. While some paper just disappears post EHR implementation, you’ll likely find that there’s still plenty of paper lingering around your office. You’ll never eliminate all of the paper from your practice, but you should ask yourself if you really need the paper you’re using or if it’s just part of an old practice that’s no longer needed. Furthermore, many EHR enabled offices print off insane amounts of paper from their EHR for no reason. This extra cost can be avoided with a little planning and awareness.

Chart Search Time – This is another one of the EHR benefits that quickly gets taken for granted. In the EHR world, it is extremely simple to find the right chart. I don’t need to outline the challenges that existed in the paper world with finding the paper charts. Medical records staff were amazing at organizing and finding paper charts, but this all required a lot of time organizing and locating the right chart. This is all but eliminated in the EMR world.

Along with the financial and efficiency benefits mentioned above, there are lots of other benefits to using an EHR like: legible notes, drug to drug interaction checking, and ePrescribing to name a few. However, even more important than all of the benefits mentioned above is how important an EHR will be to future reimbursement and care. As was mentioned, Medicare’s started penalizing non-EHR users and we’ll likely see other payers in some form or fashion follow their lead. Along with current and future EHR related penalties, there’s a real risk that you won’t be able to practice the highest quality medicine without an EHR and the future technologies it facilitates. The medical standard of care will likely require an EHR.

Medical Management Corporation of America, a leading provider of medical billing services, is a proud sponsor of EMR and HIPAA.

Meaningful Use Audits, RAC Audits, and HIPAA Audits

Posted on July 14, 2014 I Written By

The following is a guest post by Barry Haitoff, CEO of Medical Management Corporation of America.
Barry Haitoff
Healthcare has always been a deeply regulated industry, so in many ways healthcare organizations are already used to dealing with government scrutiny. However, we’ve recently seen a number of new audit programs hit the healthcare world that didn’t exist even a few years ago. Here’s a look at a few of them you should be prepared for.

Meaningful Use Audits
This is one of the newest audit programs to hit healthcare. Depending on your attestation history, it could have a tremendous impact on your organization’s financial health. These EHR incentive audits have been happening across every size organization and are conducted by the CMS hired auditing firm, Figliozzi and Company of Garden City, N.Y. If you get a letter or email from Figliozzi you’ll know what it is right away. An EHR incentive audit is a big deal since the meaningful use program is all or nothing. If they find even one thing wrong with your meaningful use attestation, you could lose ALL of your EHR incentive money.

CMS recently released an informative guidance document outlining the supporting documentation needed for an EHR incentive audit. Pages 4 and 5 of the document go through the self-attestation objectives and others detailing the audit validation and suggested documentation needed for each. If you’ve attested to meaningful use, then you’ll want to take some time to go through the document to make sure you can provide the necessary documentation if needed. In many cases this simply includes dated screenshots to prove measure completion. While many EHR vendors can be helpful in the meaningful use audit process, you should not totally rely on them.

In a recent blog post, Jim Tate makes a compelling case for why you might want to consider doing a mock EHR incentive audit and how to make sure that the audit is effective. Although smaller organizations won’t likely be able to afford an outside audit, having it done by someone in your organization that wasn’t involved in the attestation is beneficial. The CMS guidance document could be used as a guide. A mock audit could help discover any potential issues and help you put mitigation strategies in place before you have a real audit and your hands are tied.

Recovery Audit Contractor (RAC) Audits
RAC audits are currently on hold as CMS works to improve the program and deal with the enormous audit backlog. We still haven’t heard from CMS about when the RAC audits will resume, but we should hear something later this summer. While no RAC audits are occurring right now, that doesn’t mean that once the RAC audits resume, the claims you’re filing today can’t and won’t be audited.

The best thing you can do to be prepared for RAC audits is to make sure that your documentation and billing ducks are in a row. A great place to start is to look at your most common denials and look at how you can improve your clinical documentation, coding and billing for each of these denials. Also, make sure that your process for responding to audits is standardized and effective. The RAC audit is just one example of an audit performed by payers. Don’t be surprised if you’re subjected to audits from other agencies or commercial payers.

RAC audits recovered billions of dollars in overpayments in recent years. You can be sure that they will continue and that other similar initiatives are coming our way. There’s just too much incentive for the government not to do it.

HIPAA Audits
The US Department of Health and Human Services’ Office for Civil Rights (HHS OCR) first started doing HIPAA audits as part of a 2011 pilot program. It’s fair to say that HHS OCR’s audit program was one of discovery as much as it was of compliance. However, the HITECH Act and Omnibus Rule have started to up the ante when it comes to enforcement of HIPAA. HHS OCR announced that they’d be surveying 800 covered entities and 400 business associations to select the next round of audit subjects. An OCR Spokesperson said, “We hope to audit 350 covered entities and 50 BAs in this first go around.”

Unlike previous audits that were done by KPMG, these HIPAA audits will be done by OCR staff. One area that these audits will likely focus on is the HIPAA Security Risk Assessment. The importance of doing this cannot be understated and is illustrated by the fact that it’s a requirement for meaningful use. I will be surprised if these audits don’t also focus on the new HIPAA Omnibus Rule requirements. I’m sure many of the HIPAA audits will catch organizations that never updated their HIPAA policies to comply with HIPAA Omnibus.

No one enjoys an audit of any sort. However, being well prepared for an audit will provide some level of comfort to yourself and your organization. Now is your opportunity to make sure you’re well prepared for these audits that could be coming your way. These audit programs likely aren’t going anywhere, so take the time to make sure you’re prepared.

Medical Management Corporation of America, a leading provider of medical billing services, is a proud sponsor of EMR and HIPAA.